Preface

Although I have tested this HowTo many times, there may still be bugs. This procedure worked this week, but who knows if it will do tomorrow; any update to glibc, Samba, or heimdal could break this HowTo into pieces.

Having backups of all modified files is recommended, as well as testing local login before any rebooting. In the worst case scenario, login will be broken for all users, including root - so be warned: Don't reboot or logout as root until you have checked everything.

Do not rely upon any information found in this guide without independent verification -- use at own risk.

Configuration

Please check your /etc/hosts file! It is important for it to be correctly configured. If you have a dual boot system on a machine, you have to use a different hostname and netbios name for the linux configuration, or the protected connection between windows and the domain controller will result broken.

Heimdal / Kerberos - /etc/krb5.conf

Let's assume that your AD is named paradise.com. Let's further assume your AD is ruled by two domain controllers, the primary and secondary one, which are named adam and eve, adam.paradise.com and eve.paradise.com respectively. Their IP adresses will be 192.168.0.1 and 192.168.0.2 in this example.

Heimdal 1.3.1 deprecated DES encryption which is required for AD authentication before Windows Server 2008. You'll probably have to add

allow_weak_crypto = true

to the [libdefaults] section.

Inside an AD, it is important that all machines run the same system time. To synchronize the time run:

/usr/bin/ntpdate adam.paradise.com

Now you can query the AD domain controllers for a ticket with the following commands (uppercase is necessary):

# kinit ADMINISTRATOR@PARADISE.COM

You´ll now be asked for the password. In case it matches, you'll be returned to the console.

PAM configuration for login

Now we have to change /etc/pam.d/login so it sends its request to the AD controllers. In case of logins, PAM should first ask for AD accounts, and for local accounts if no matching AD account was found. Therefore, we add entries to include pam_winbindd.so into the authentication process. Furthermore, we include pam_mkhomedir.so. If an AD user logs in, /home/paradise/user will be created automatically.

We shall now explain to Samba that it shall use the PDC´s database for authentication queries. Again, we use winbindd which is a part of the samba package. Winbind maps the UID and GID of the AD to our Linux-machine. Winbind uses a Unix-implementation of RPC-calls, Pluggable Authentication Modules (aka PAM) and Name Service Switch (NSS) to allow Windows AD and users accessing and to grant permissions on the Linux-machine. The best part of winbindd is, that you don´t have to define the mapping yourself, but only define a range of UID and GID. That´s what we defined in smb.conf.
To include Winbindd into NSS calls, edit /etc/nsswitch.conf. Add winbind to the lines as shown here:

Starting and testing services

Starting Samba

Hopefully, you have not rebooted yet! Fine. If you are in an X-session, quit it, so you can test login into another console, while you are still logged in.

Start Samba (including smbd, nmbd and winbindd:

/etc/rc.d/samba restart

Testing Winbind

Let's check if winbind is able to query the AD. The following command should return a list of AD users:

wbinfo -u

We can do the same for AD groups:

wbinfo -g

Testing login

Now, start a new console session and try to login with an AD account. As we told winbind to use default_realms, it should not be necessary to add the AD name.
Lets assume there is an AD user named kain. Try to login as

kain
PARADISE+kain

Both should work. You should notice that /home/paradise/kain will be created.
Log into another session using an linux account. Check that you still be able to log in as root - but keep in mind to be logged in as root in at least one session!

Testing Samba commands

Try out some net commands to see if samba can address the AD:

net ads info
net ads lookup
net ads status

The commands return several AD related information.

Arch Linux becomes an AD member

You need an AD Administrator account to do this. Let's assume this is named Administrator. The command is 'net ads join'